In a similar vein, Usenix Security 2012 had a session called "The Brain" with these two papers: https://www.usenix.org/conference/usenixsecurity12/neuroscie... https://www.usenix.org/conference/usenixsecurity12/feasibili...

The first is only slightly related to this article; it uses implicit learning to train users to authenticate with secrets that they cannot recall consciously (and therefore can't be coerced into revealing).

The second is about recovering secret information from brain-computer interfaces, and though this seems very relevant to the proposal of authenticating via "passthoughts", neither of these papers seem to cite each other.

(The Berkeley paper is at http://www.kisc.meiji.ac.jp/~ethicj/USEC13/submissions/usec1...)

Having been in that session, no one I met thought at all highly about the second paper.

First, it was unlikely you'd actually ever enter sensitive data while using one of those EEGs( as they are only used in games). Ironically, If you deployed this authentication method, you'd actually be providing an exploit vector since you could plausibly alter the authentication game to cause to measure something more sinister

This is important because the second complaint everyone had was the usenix paper didn't actually read information covertly. They asked you to think about your PIN number and flashed digits on screen to see if you recognized them(not covert at all). Effectively this was stuff that was known to be doable with medical grade EEGs years ago.

Of course, if you basically have an authentication mechanism that mimics there awful experiment, the results might actually apply.

Summary of the actual paper: they take a single sensor EEG sample of your brain doing some simple task and compare it to both a set of samples of your brain doing the task (this comparison results is the selfsim value) and of a bunch of other people doing the task(resuliting in the crossSim score). "if the percent dierence between selfSim and crossSim is greater than or equal to T, we accept the authentication attempt. If not, we reject it."

Of course, this actually says nothing about the feasibility of emulating someone else's signal (which may get way easier if its a single sensor).

Im skeptical of this both that it will hold of to an adversarial attacker and that its actually right. Deciding that something is a unique identifier off a small sample size reminds me of some of the really bad forensic techniques people used (e.g. [0])

[0]http://www.washingtonpost.com/wp-dyn/content/article/2007/11...

I wonder how easy it is to use while drunk. Do they do usability testing trials for that?

Has anyone used this MindSet in the article? I remember a similar technology coming out, but didn't see anything happening there. Has anyone used any of these for gaming or UI control?

MindSet is used in the game "Throw Trucks With Your Mind," which recently had a successful Kickstarter campaign. I've played with a prototype build of the game, the headset works great although I'm surprised that it's also precise enough for user authentication.

Ah, thank you. Is it worth buying to play around with? I don't even know how you'd control things with it...

I haven't looked into building anything(I've just played with demos when they're available) but my understanding is that what is offered in most of these neurointerface platforms is an API for simple things, and then low-level access to digital signals, with one channel for each area of the brain being sampled. So if you're doing things low-level expect to be applying some DSP knowledge.

I wonder how this would interact with duress—especially considering sometimes it's especially import to log on under duress, sometime's it's especially important to NOT log on.

Something like this could make authentication (and potentially other tasks) with face-computing devices seamless and secure!

Woah, let's see if it still works when you're pissed at you're spouse.

So to steal things you must steal their brains? This is how the zombie apocalypse starts...

that reminds me of my 5 year old little poem http://information-man.com/googles-personal_healthcare_gmail...

This is very interesting. Thanks for sharing!

one thing would be to look at the paper, and also the quality of the telemetry they are getting from this.

Don't have time to read through it (have other papers which I have to get through first!) but here's a draft of their paper that they submitted for the conference.

http://www.kisc.meiji.ac.jp/~ethicj/USEC13/submissions/usec1...